dfetch/.github/workflows/python-publish.yml at main · dfetch-org/dfetch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# This workflows will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries

name: Upload Python Package

on:
  release:
    types: [published] # Once manually verified, draft is released

  # No support for reusable workflows (yet): https://github.com/pypi/warehouse/issues/11096
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read

jobs:
  build:
    name: Build distribution 📦
    runs-on: ubuntu-latest
    permissions:
      contents: read
      attestations: write
      id-token: write

    steps:
    - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
      with:
        egress-policy: block
        allowed-endpoints: >+
          github.com:443
          api.github.com:443
          release-assets.githubusercontent.com:443
          pypi.org:443
          files.pythonhosted.org:443
          fulcio.sigstore.dev:443
          rekor.sigstore.dev:443
          tuf-repo-cdn.sigstore.dev:443

    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
        fetch-depth: 0  # Fetches all history and tags
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      with:
        python-version: '3.x'
    - name: Install dependencies
      run: python -m pip install .[wheel]
    - name: Build a binary wheel and a source tarball
      run: python3 -m build
    - name: Generate SBOM for Python distribution
      run: python script/create_sbom.py --py --output-dir dist-sbom
    - name: Store the distribution packages
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: python-package-distributions
        path: dist/
    - name: Find SBOM path
      id: find-sbom
      run: |
        SBOM=$(find dist-sbom -name '*.cdx.json' -maxdepth 1 | head -1)
        echo "path=$SBOM" >> "$GITHUB_OUTPUT"
    - name: Attest Python distribution with SBOM
      uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      with:
        subject-path: 'dist/*.whl,dist/*.tar.gz'
        predicate-type: 'https://cyclonedx.org/bom'
        predicate-path: ${{ steps.find-sbom.outputs.path }}
    - name: Store the SBOM
      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
      with:
        name: python-sbom
        path: dist-sbom/

  publish-to-testpypi:
    name: Publish Python distribution 📦 to TestPyPI
    needs:
    - build
    runs-on: ubuntu-latest

    environment:
      name: testpypi
      url: https://test.pypi.org/p/dfetch

    permissions:
      id-token: write

    steps:
    - name: Download all the dists
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
      with:
        name: python-package-distributions
        path: dist/
    - name: Publish distribution 📦 to TestPyPI
      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1
      with:
        repository-url: https://test.pypi.org/legacy/
        skip-existing: true

    - name: Test install from TestPyPI
      run: |
        pip install --pre --index-url https://test.pypi.org/simple/ dfetch --extra-index-url https://pypi.org/simple --user
        dfetch --help

  deploy:
    if: github.event_name == 'release'
    runs-on: ubuntu-latest
    needs:
    - build
    environment:
      name: pypi
      url: https://pypi.org/p/dfetch
    permissions:
      id-token: write
      contents: write

    steps:
    - name: Download all the dists
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
      with:
        name: python-package-distributions
        path: dist/
    - name: Publish distribution 📦 to PyPI
      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1
      with:
        skip-existing: true
    - name: Download SBOM
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
      with:
        name: python-sbom
        path: dist-sbom/
    - name: Upload SBOM to GitHub Release
      uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.5.0
      with:
        tag_name: ${{ github.event.release.tag_name }}
        files: dist-sbom/*
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}